[apparmor] New LibreOffice Profile
Seth Arnold
seth.arnold at canonical.com
Sat Apr 4 03:01:14 UTC 2015
On Fri, Apr 03, 2015 at 01:57:21PM -0400, Bryan Quigley wrote:
> I've pretty much re-reviewed every line and determined a couple
> abstractions could be dropped.
These are looking impressive; I used to think that profiles for standard
desktop programs were going to be too difficult to write, but these look
like the result of concerted effort to improve profiles among many
different users.
> /tmp access was able to be refined a bunch
>
> >>> This profile should not be turned on by default because:
> >>
> >> That means it should probably live in the extra profiles directory, with
> >> the disadvantage that not too many people look into it or use it.
> Upon reviewing the Ubuntu apparmor-profiles package I noticed that it
> does complain mode by default. That should be fine. So maybe not in
> -extra?
It's tough to say; it'd be nice if it were easily available for those who
want to try it out and give us feedback but I'm not yet confident we'd
want to turn it on by default.
> >> Indeed, the soffice.bin comes with an impressive collection of
> >> abstractions and other permissions. (I hope you have good reasons for
> >> each of them ;-)
>
> Tried to make that better, but it seems I still need the read
> everywhere for the file selector. I couldn't find a way to just give
> "directory listing" permissions everywhere..
I noticed a stray /** r, permission in one of the files; it might be best
to replace that with / r, /**/ r, and re-test.
> I added profiles for LibreOffice's built-in launching programs which
> make some of the abstractions/ubuntu useless.
I did wonder if some of the xdg-open kinds of rmPUx permissions might be
replaced with the sanitized_helper that ubuntu uses elsewhere.
> my takeaways from profiling:
> LibreOffice should use a prefix when writing tmp files
> Moving to just always use xdg-open might get rid of 3 scripts in LO.
Both seem like good ideas. We might want to try to get Sweetshark's input
on changing some tmp filenames.
It'd be far better to #include <abstractions/base> in each of the
profiles: by including only the file accesses from the base abstraction,
programs that run in these profiles are essentially unkillable: apparmor
fille forbid other programs, even unconfined root processes. from sending
these processes signals. <abstractions/base> includes some rules that are
necessary to have a linuxy-feeling linux system. (We made them
configurable just in case someone actually wants to prevent unconfined
processes from communicating with confined processes via signals --
potentially important in high-assurance environments.)
I've got some specific feedback on the profiles, I hope you find it
useful; my comments are prefixed with ###. (I've removed the base files
that were in three of them, I think they should be removed and just
include base.)
Thanks
#include <tunables/global>
/usr/lib/libreoffice/program/open-url {
owner /tmp/lu** rw, #makes files like luRRRRR.tmp/lubRRRR.tmp where R is random
#Note, usually it's lub or luc, don't know why.
### Might as well include /bin/bash rmix, for systems where /bin/sh is a
### symlink to /bin/bash
/bin/sh rmix,
/bin/dash rmix,
/bin/sed rmix,
/bin/grep rmix,
/usr/bin/xdg-open rmPUx,
/dev/null rw,
/usr/share/libreoffice/share/config/* r,
owner @{HOME}/.config/libreoffice/4/user/uno_packages/cache/log.txt rw,
}
#include <tunables/global>
/usr/lib/libreoffice/program/senddoc {
owner /tmp/lu** rw, #makes files like luRRRRR.tmp/lubRRRR.tmp where R is random
#Note, usually it's lub or luc, don't know why.
### Might as well include /bin/bash rmix, for systems where /bin/sh is a
### symlink to /bin/bash
/bin/sh rmix,
/bin/dash rmix,
/bin/sed rmix,
/usr/bin/dirname rmix,
/usr/bin/basename rmix,
/bin/grep rmix,
/bin/uname rmix,
/usr/bin/xdg-open rmPUx,
/usr/bin/gnome-open rmPUx,
/usr/lib/libreoffice/program/uri-encode rmPUx,
/dev/null rw,
/usr/share/libreoffice/share/config/* r,
owner @{HOME}/.config/libreoffice/4/user/uno_packages/cache/log.txt rw,
}
#This profile should enable the average LibreOffice user to get their
# work done while blocking some advanced usage
# Namely not tested and likely not working : embedded plugins,
# Using the LibreOffice SDK and other development tasks
# Everything else should be working
#Defines all common supported file formats
#Some obscure ones we're excluded (mostly input)
### The comments don't always match the regex; txt is included twice,
### which will make compilation slightly slower
#Generic
@{libreoffice_ext} = [tT][xX][tT] # .txt
@{libreoffice_ext} += {,f,F}[oO][dDtT][tTsSpPbBgGfF] # All the open document format
@{libreoffice_ext} += [xX][mMsS][lL] # .xml
@{libreoffice_ext} += [tT][xX][tT] # .txt
@{libreoffice_ext} += [pP][dD][fF] # .pdf
@{libreoffice_ext} += [uU][oO][fFtTsSpP] # .pdf
@{libreoffice_ext} += {,x,X}[hH][tT][mM]{,l,L} # htm html xhtm xhtml
#Images #these were all rw, while everything else was rwk
@{libreoffice_ext} += [jJ][pP][gG]
@{libreoffice_ext} += [jJ][pP][eE][gG]
@{libreoffice_ext} += [pP][nN][gG]
@{libreoffice_ext} += [sS][vV][gG]
@{libreoffice_ext} += [sS][vV][gG][zZ]
@{libreoffice_ext} += [tT][iI][fF]
@{libreoffice_ext} += [tT][iI][fF][fF]
#Writer
@{libreoffice_ext} += [dD][oO][cCtT]{,x,X}
@{libreoffice_ext} += [rR][tT][fF]
#Calc
@{libreoffice_ext} += [xX][lL][sSwWtT]{,x,X}
@{libreoffice_ext} += [dD][iIbB][fF] #.dif dbf
@{libreoffice_ext} += [cCtT][sS][vV] #.tsv .csv
@{libreoffice_ext} += [sS][lL][kK]
#Impress/Draw
@{libreoffice_ext} += [pP][pP][tTsS]{,x,X}
@{libreoffice_ext} += [pP][oO][tT]{,m,M}
@{libreoffice_ext} += [sS][wW][fF]
@{libreoffice_ext} += [pP][sS][dD] #Photoshop
#Math
@{libreoffice_ext} += [mM][mM][lL]
#include <tunables/global>
/usr/lib/libreoffice/program/soffice.bin {
#include <abstractions/private-files-strict>
#include <abstractions/audio>
#include <abstractions/bash>
#include <abstractions/cups-client>
#include <abstractions/dbus>
#include <abstractions/dbus-session>
#include <abstractions/dbus-accessibility>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/gnome>
### Don't forget to remove the /** r, and re-test...
#Read everywhere for file browser (open/save)
/** r, #Yes this makes a lot of the read access below reduntant
#but if your users are only going to need /home/username, etc you can remove it
### Perhaps a variable for /mnt/ and /media/ too -- sites may mount
### user-writable directories in many possible places, having one place to
### change it might make sense
# allow creating directories that we own
owner /mnt/**/ rw,
owner /media/**/ rw,
owner @{HOME}/**/ rw,
# lock file support
owner @{HOME}/**~lock.* rw,
owner /media/**~lock.* rw,
owner /mnt/**~lock.* rw,
#Open files with correct filetype
owner @{HOME}/**.@{libreoffice_ext} rw,
owner /media/**.@{libreoffice_ext} rw,
owner /mnt/**.@{libreoffice_ext} rw,
# Settings
/etc/libreoffice/ r,
/etc/libreoffice/** r,
### There's some trailing spaces at the end of the rw, line:
owner @{HOME}/.config/libreoffice/** rwk,
owner @{HOME}/.cache/fontconfig/** rw,
owner @{HOME}/.config/gtk-3.0/bookmarks r, #Make bookmarks work
owner /{,var/}run/user/*/dconf/user rw,
owner @{HOME}/.config/dconf/user r,
# allow schema to be read
/usr/share/glib-*/schemas/ r,
/usr/share/glib-*/schemas/** r,
# bluetooth send to
network bluetooth,
/bin/sh rmix,
/bin/dash rmix,
/usr/bin/bluetooth-sendto rmPUx,
/usr/bin/lpr rmPUx,
/usr/bin/paperconf rmix,
### I think something went wrong with the @multiarch here..
/usr/lib/@multiarch/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rmPUx,
owner @{HOME}/.cache/gstreamer-1.0/** rw,
unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), #Gstreamer doesn't work without this
/usr/lib/jvm/ r,
/usr/lib/jvm/** r,
/usr/lib/libreoffice/** r,
/usr/lib/libreoffice/**.so rm,
/usr/lib/libreoffice/program/gnome-open-url rmPUx, #This doesn't seem to be used on my install
/usr/lib/libreoffice/program/soffice.bin rmix,
/usr/lib/libreoffice/program/xpdfimport rPx,
/usr/lib/libreoffice/program/open-url rPx,
/usr/lib/libreoffice/program/senddoc rPx,
/usr/lib/ure/ r,
/usr/lib/ure/** rm,
/usr/share/java/**.jar r,
/usr/share/hunspell/ r,
/usr/share/hunspell/** r,
/usr/share/hyphen/ r,
/usr/share/hyphen/** r,
/usr/share/mythes/ r,
/usr/share/mythes/** r,
/usr/share/liblangtag/ r,
/usr/share/liblangtag/** r,
/usr/share/libreoffice/ r,
/usr/share/libreoffice/** r,
### I suggest removing the '"c" not w' comment -- probably once the files
are created, they would then need write access...
/var/spool/libreoffice/ r,
/var/spool/libreoffice/** rw, #Needs "c" not w
}
#include <tunables/global>
/usr/lib/libreoffice/program/xpdfimport {
owner /tmp/* r, #Seems to need to read file created with pattern /tmp/RRRRRR
owner /tmp/lu** rw, #makes files like luRRRRR.tmp/lubRRRR.tmp where R is random
#Note, usually it's lub or luc, don't know why.
/usr/share/poppler/** r,
/usr/share/libreoffice/share/config/* r,
owner @{HOME}/.config/libreoffice/4/user/uno_packages/cache/log.txt rw,
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150403/9610217a/attachment.pgp>
More information about the AppArmor
mailing list